I am trying to authenticate to Google API services from a web server to check Customer subscription statuses. I am using PHP on my server. I could figure out how to get the access token from the server with the service account I have generated on the API console.
It works fine, but just after it pops up an authentication screen and once I log in with my user account. I was reading the documentation and it should work without asking me to log in, but I cannot figure out what is the problem.
My code is like this
$clientID="{my service account email address}.apps.googleusercontent.com";
$clientSecret="{my service account secret code}"; //Actually this is not used by the call
$scope="https://www.googleapis.com/auth/androidpublisher";
$ch = curl_init();
$input_fields =
'&client_id='.$clientID.
'&response_type=code'.
'&type=service_account'.
'&scope='. $scope .
'&redirect_uri={my Redirect URI, set on the API Console}';
curl_setopt($ch, CURLOPT_URL, "https://accounts.google.com/o/oauth2/auth");
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $input_fields);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$result = curl_exec($ch);
Once this code is running, the authentication screen comes up, I need to grant access for website to access the API on behalf of my user account. After that I get the access token and the scope in a json using the Redirect URI page.
How can I avoid to be asked for my user account and just get the access token automatically?
Thanks for helping me out here.
Related
I am currently looking for a SSO solution to access MS Graph and Storage Accounts with a signle interactive user login. When I connect via Connect-AzAccount and grab the token via Get-AzAccessToken it will cut all the required scopes (intune administrator scopes)
Connect-AzAccount
$token = (Get-AzAccessToken -ResourceTypeName MSGraph).token
connects sucessfully but failes when running query below
Connect-MgGraph -AccessToken $token
$GraphURI="https://graph.microsoft.com/beta/deviceAppManagement/mobileApps/?$filter=contains(displayName, '7-Zip - 19.00')"
FAILES no scopes
$GraphResponse = Invoke-RestMethod -Uri $GraphURI -Method "GET" -ErrorAction Stop -Verbose:$false
When I try to other way around (connect via graph and grab the token) those wont match
[Microsoft.Identity.Client.AuthenticationResult]$AccessTokenGraph != [Microsoft.Azure.Commands.Profile.Models.PSAccessToken] $AccessTokenAzAccount
Is there a way to do it? Its important that its done via an interactive login and not via a certficate or app registration.
Thank you!
Eli
Note that : Connect-AzAccount authenticates the user with Azure and this authenticated account can be used only with Azure Resource Manager requests and Connect-MgGraph allows the connection to Microsoft Graph.
I tried to reproduce the same in my environment and got the results like below:
When I tried to connect to Mg Graph by using the access token generated by Get-AzAccessToken I got the error as below:
Connect-AzAccount $token = (Get-AzAccessToken -ResourceTypeName MSGraph).token
Connect-MgGraph -AccessToken $token
$GraphURI="https://graph.microsoft.com/beta/deviceAppManagement/mobileApps
$GraphResponse = Invoke-RestMethod -Uri $GraphURI -Method "GET" -ErrorAction Stop -Verbose:$false
Based on your requirement it is not feasible to have a single interactive user login to access both MS Graph and Storage Accounts. You have to connect AzAccount and MgGraph once at a time as access token of both varies.
You can connect to MgGraph in several ways, and I am able to fetch the details of deviceAppManagement successfully like below:
Reference:
Using Microsoft Graph PowerShell authentication commands
I am using Laravel 8 and react for frontend. I'm using laravel passport for authentication.
Once user logs in, a token is generated and stored in browser's local storage. Then after retriving access token from local storage I setting it into the axios Authorization header to verify the user authenticity on every request.
I am integrating Paytm payment gateway using standard checkout.
I have created a callback API which call after transaction is completed and this API is protected by auth:api middleware means only logged in users can access the API.
So when user click on pay button, he is redirected to Paytm payment gateway page. On this page user does not have the access token in local storage.
So once transaction is completed callback API is called but no token is sent in the request Authorization header and user is restricted to access the API.
I have even tried saving access token in session before user redirects to payment gateway page and retrieves it in the middleware attached on the callback API but session value is null.
How can I overcome this problem?
I'm working on a intranet-based application and I want to use Google services. Currently I have successfully implemented Google Authentication with "Sign-In for Websites" using JavaScript client-side authentication. My users can now sign in or sign up with their Google accounts.
Now I want to use Google API to create and share Google Sheets with my users. These documents will be created with a specific Google account and then shared with my users.
This is why I want to use this server-slide flow to get a one-time authorization code and exchange it for a refresh token:
https://developers.google.com/identity/sign-in/web/server-side-flow
This refresh token will be stored in my database allowing me to user Google services on behalf of this offline user.
Using JavaScript library, I was able to get the one-time authorization code that I send to my server with a AJAX request.
auth2.grantOfflineAccess({'redirect_uri': 'postmessage'}).then(grantOfflineAccessCallback);
var grantOfflineAccessCallback = function(authResult) {
var auth_code = authResult.code;
// Exchange the one-time authorization code for tokens
$.post(...);
}
On server-side I use Google API PHP Client (v2.0.0-RC6) to acquire an access and refresh token.
$this->client = new Google_Client();
$this->client->setClientId($this->clientId);
$this->client->setClientSecret($this->clientSecret);
$this->client->setAccessType('offline');
$this->client->setApprovalPrompt('force');
$response = $this->client->fetchAccessTokenWithAuthCode($oneTimeCode);
I wasn't able to exchange the authorization code.
Client error: `POST https://www.googleapis.com/oauth2/v4/token` resulted in a `400 Bad Request` response:
{
"error": "invalid_request",
"error_description": "Missing parameter: redirect_uri"
}
On this page we can read:
On the server, exchange the auth code for access and refresh tokens.
Use the access token to call Google APIs on behalf of the user.
On the JAVA example code:
REDIRECT_URI: // Specify the same redirect URI that you use with your web
// app. If you don't have a web version of your app, you can
// specify an empty string.
Because the application I working on is an intranet application, I tried to specify an empty string for this redirect_uri parameter before calling fetchAccessTokenWithAuthCode() method:
$this->client->setRedirectUri('');
... result in Redirect URI must be absolute.
Can we use this hybrid server-slide flow without callback URL?
Is there any solution to my problem?
Thanks,
Edit:
redirect_uri is where the user will be redirected to after he signed in. This URL must be registered in the Google Project (developers console). So redirect_uri is NOT the callback...!
Problem is now solved with:
$this->client->setRedirectUri('http://same.url.as.in.developers.console/');
Does anyone know how to get the app access token to a One-Drive API app?
I've tried combining {appId}|{appSecret} as the access_token param and as the Authorization header but it doesn't seem to work.
Thanks,
The OneDrive API docs have a good section on getting auth tokens with OAuth. In a nutshell, there are two services involved -- the OneDrive API service and the authentication service. The OneDrive API only accepts OAuth tokens that were issued by the authentication service. The authentication service is what you talk to first to get an auth token.
Depending on your app, you can either use the token flow or the code flow to get an auth token. In the 'token' flow, you navigate the user's browser to the authentication endpoint with your appId. The user may need to log in, consent, etc., and then the authentication endpoint redirects back to your site with an auth token you can use. The 'code' flow is similar to the 'token' flow, except it redirects back with an authentication code that your client app can use (along with its client secret) to obtain an auth token and a refresh token. Once you have a refresh token, you can use that to obtain future auth tokens without the user's involvement (as long as they granted the wl.offline_access scope).
I am developing an app in PHP hosted on Heroku, and my biggest problem is not getting access tokens for a user to get my app to fully work. The app works perfectly for me (as I am an admin), but other people who arent associated with the app cannot get the app to display anything. I also tried using test users to see if it would work, but still no luck. Im pretty sure it has to do with access tokens and the app not having permission to do its thing. How and where do I fix this?
for user access_token i use, where the number is the application id.
if($_SESSION['fb_135669679827333_access_token']){
$access_token = $_SESSION['fb_135669679827333_access_token'];
}
for application access token i use cURL. the return results are like access_token=xxxxxxxxxx
use like - /anotherfeed/feed?$app_access_token
$app_access_token = GetCH();
function GetCH(){
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "https://graph.facebook.com/oauth/access_token?client_id=APP_ID&client_secret=SECRET_KEY&grant_type=client_credentials");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_USERAGENT, $_SERVER['HTTP_USER_AGENT']);
if(substr($url,0,8)=='https://'){
// The following ensures SSL always works. A little detail:
// SSL does two things at once:
// 1. it encrypts communication
// 2. it ensures the target party is who it claims to be.
// In short, if the following code is allowed, CURL won't check if the
// certificate is known and valid, however, it still encrypts communication.
curl_setopt($ch,CURLOPT_HTTPAUTH,CURLAUTH_ANY);
curl_setopt($ch,CURLOPT_SSL_VERIFYPEER,false);
}
$sendCH = curl_exec($ch);
curl_close($ch);
return $sendCH;
};